Salt Security, the API security company, has released findings from its first industry-focused report on API security. Titled, the 2023 State of API Security for Financial Services and Insurance, the report combines empirical data from Salt customers and findings from two separate surveys. It provides an in-depth analysis of the impact of API security threats and vulnerabilities on these industries.
The Salt Security results found API attackers targeting financial services and insurance APIs have become increasingly active. There has been a 244 per cent increase in unique attackers between the first and second halves of last year. Additionally, 92 per cent of financial/insurance respondents say they have experienced a significant security issue in production APIs over the past year. Furthermore, nearly one out of five have suffered an API security breach.
The report also shows that 69 per cent of financial services/insurance respondents say they have experienced rollout delays due to API security issues. This is 11 per cent higher than the overall response average. Furthermore, 17 per cent of respondents have experienced an API-related security breach. Eighty-four per cent of attacks against financial services/insurance sectors came from ‘authenticated’ users who appeared legitimate but were actually attackers.
Shockingly, 71 per cent of financial/insurance respondents say their existing tools are not very effective in preventing API attacks. In fact, more than 25 per cent of respondents say they have no current API strategy
“APIs are essential for the innovative digital services being delivered today by financial and insurance organisations,” said Roey Eliyahu, CEO and co-founder of Salt Security. “However, because these APIs transport sensitive customer and financial information, cybercriminals also know they share a wealth of data that can be leveraged for theft or fraud. The findings show these companies are suffering significant increases in attackers and other security issues, increasing their vulnerability to API-related incidents.”
Securing APIs to protect new digital services is a business priority
API security breaches can cost businesses in fines, loss of customer trust, and reputational damage. Also costly are delays in application rollouts or rollbacks of new applications. Given the importance of digital services as a business driver in these industries, API security has become a critical issue, as highlighted by the following findings:
- Fifty-six per cent of financial services/insurance respondents say API security is now a C-level issue (eight per cent higher versus the overall response average at 48 per cent).
- Seventy-nine per cent of financial services/insurance CISOs say that API security is a higher priority today than two years ago.
- Seventy-six per cent of financial services/insurance CISOs say their organisations have made API security a planned priority over the next two years, with 13 per cent saying it will be a critical priority.
“Given the growing importance of APIs over the last several years for enabling modern businesses, it is surprising that API security has become mainstream only recently,” said Jeff Farinich, SVP technology and CISO at New American Funding.
“The fact that security frameworks and regulations are slow to evolve is partly to blame, but I see hope on the horizon. The Federal Financial Institutions Examination Council (FFIEC), which usually takes years to issue a new mandate, in just one year explicitly called out APIs as a separate attack surface, requiring financial institutions to inventory, remediate, and secure API connections.”
Despite rising attacks, financial services/insurance lack adequate protection for APIs
Financial services/insurance respondents say they are not prepared or taking the right measures to protect APIs from threats. In fact, 28 per cent of respondents – all with APIs running in production – say they have no current API strategy. A further 42 per cent of respondents have little confidence in understanding which APIs expose PII, while just 13 per cent of respondents consider their API security programs advanced.
Twenty-five per cnet of respondents say their current API security strategy doesn’t focus enough time on documenting APIs. Lastly, only 42 per cent of respondents identify API security gaps during production/runtime, which is where actual attack activity occurs.
Financial services/insurance respondents also cited outdated/zombie APIs as their number one API security concern at 48 per cent. This is nearly 35 per cent higher than second top API security concern cited, account takeover (ATO).
Other notable findings from the State of API Security for Financial Services and Insurance include:
- Nine per cent of API attacks against financial/insurance institutions targeted internal APIs, representing a 613 per cent increase between the first and second halves of last year.
- Sixty-one per cent of financial/insurance respondents manage more than 100 APIs, and 36 per cent manage more than 500.
- Twenty-seven per cent say they have more than doubled their APIs over the past year.
- Respondents most value the ability to stop attacks (49 per cent) in an API security platform, followed closely by meeting compliance/regulatory requirements (48 per cent).
- While 36 per cent of respondents update their APIs at least weekly, only 10 per cent update documentation at the same pace.